Re: continues SCAN Proxy attempt

From: Russell Fulton (r.fultonat_private)
Date: Sun May 26 2002 - 17:32:12 PDT

  • Next message: Bill Royds: "RE: Strange scans"

    On Sat, 2002-05-25 at 08:18, Hugo van der Kooij wrote:
    > Hi,
    > For over two day I am being probed by a specific IP adres as shown in this 
    > small sample:
    > May 24 22:08:04 vigor kernel: Packet log: if-inet DENY ppp0 PROTO=6 
    > L=48 S=0x00 I=11804 F=0x4000 T=106 
    > SYN (#36)  
    > May 24 22:08:04 vigor snort[6198]: [1:615:1] SCAN Proxy attempt 
    > [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 
    > ->
    > This occured about 1500 times in a periode of 2 days and 4 hours.
    > I have yet not received any response from the owner of the netblock.
    > Anyone else seen any similar activities from this netblock?
    No, nothing here.
    Is it possible that this is some charley with a misconfigured socks
    client.  If they are repeatedly trying to connect to the same address
    this possibility springs to mind.  We use a socks proxy here on campus
    and every now and again someone takes their laptop overseas and then
    can't figure out why the networking no longer works and we see streams
    of attempts on 1080 at our firewall...
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 18:14:03 PDT